malwarewikiaorg-20200223-history
MS Antivirus
MS Antivirus, also known as XP AntivirusBleepingComputer - XP Antivirus;' Vitae Antivirus'; Windows Antivirus; Win Antivirus; Antivirus Pro; Antivirus Pro 2009 ,2010, 2017BleepingComputer - AntivirusPro2009; Antivirus 2007, 2008BleepingComputer - Antivirus 2008, 20092-Spyware - Antivirus 2009, 2010Article noting that Antivirus 2010 and Anti-virus-1 are the same, and 360BleepingComputer - Antivirus360; System Antivirus; Vista Antivirus; AntiSpywareMaster2-Spyware - AntiSpywareMaster; and XP AntiSpyware 2009, or Microsoft Antivirus, is a scareware rogue anti-virus which claims to remove nonexistent virus infections found on a computer running Microsoft Windows. Method of Infection/Variants MS Antivirus is known to infect users using the Microsoft Windows operating system and is browser-independent. One infection method involves the Zlob trojan. Another involves the use of fake codec scams, such as Video ActiveX Enhancement 2.07. Another infection method involves the Vundo Trojan Some variants (like Antivirus Pro 2017) are still being updated even though it was discontinued. MS Antivirus is based on SpySheriff despite not being SpySheriff clone Symptoms of Infection Each variant has its own way of downloading and installing itself onto a computer. MS Antivirus is made to look professional and functional to fool a computer user into thinking that it is a real anti-virus system in order to convince the user to purchase it. In a typical installation, MS Antivirus runs a scan on the computer and gives a false report claiming that the computer is infected with spyware. Once the scan is completed, a warning message appears that lists the spyware found and the user has to either click on a link or a button to remove it. Regardless of which button is clicked, a download box will still pop up. This deceptive tactic is an attempt to scare the Internet user into clicking on the link or button to purchase MS Antivirus. If the user decides not to purchase the program, then they will constantly receive pop-ups stating that the program has found infections and that they should register it in order to fix them. This type of behavior can cause a computer to operate slower than normal. It affects the Windows Registry. MS Antivirus will also occasionally display fake pop-up alerts on an infected computer. These alerts pretend to be a detection of an attack on that computer and the alert prompts the user to activate, or purchase, the software in order to stop the attack. The Windows registry is also modified so the software runs at system startup. The following files may be downloaded to an infected computer:http://www.ca.com/securityadvisor/pest/pest.aspx?id=453139480 * MSASetup.exe * MSA.exe * MSA.cpl * MSx.exe * MSA0.dat * MSA1.dat Depending on the variant, the files will have different names and therefore can appear or be labeled differently. For example, Antivirus 2009 will have the .exe file name a2009.exe. MS Antivirus is anti-VM rogue, it cannot be run on VMware however it can run on Virtualbox and other VM software. MS Antivirus had their website at www(dot)msantivirusxp(dot)com, which has been removed, the websites may be different, For example, Micro Antivirus had it's website at www(dot)microantivirus2009(dot)com. Malicious actions Most variants of this malware will not be overtly harmful, as they usually will not steal a user's information (as spyware) nor critically harm a system. However, the software will act to inconvenience the user by frequently displaying popups that prompt the user to pay to register the software in order to remove non-existent viruses just like Trojan VX. Some variants are more harmful; they display popups whenever the user tries to start an application or even tries to navigate their hard drive, especially after they restart their computer. It does this by modifying the Windows registry. Whichever variant infects a computer, MS Antivirus always uses system resources when running, potentially making an infected computer run slower than before. MS Antivirus claims that the user has the old virus Blaster/Sasser. MS Antivirus detects real viruses after activating the rogue software. Some variants just like Antivirus 2009 can drop a fake Windows Security Center when executed, claiming that Windows has detected the unregistered version of the rogue. The malware can also block access to known spyware removal sites and in some instances, searching for "antivirus 2009" (or similar search terms) on a search engine will result in a blank page or an error page. Some variants will also redirect the user from the actual Google search page to a false Google search page that states that the user has a virus and should get Antivirus 2009 with a hotlink to the virus’s page. This false Google search page no longer works since Google has been updated. Antivirus 2009 also disable a user’s antimalware programs and prevent the user from opening or re-enabling them. Antimalware applications disabled by Antivirus 2009 include McAfee, Spybot - Search & Destroy, AVG and Superantispyware. Some modern variants will disable Malwarebytes. MS Antivirus is constantly updated and re-released to prevent detection by common anti-spyware and anti-virus scanners. Removal Removing MS Antivirus is not difficult as it would disable Antimalware applications and attempt to recreate itself. Some variants will also disable Malwarebytes. Some antimalware applications like Ad-aware and Vundofix can remove MS Antivirus components. AdwCleaner should clean pop-ups and corrupt files. Using antivirus software can prevent this infection from entering the computer. However, due to MS Antivirus is updated and re-released to prevent detection by anti-virus scanners. It would not be possible to remove these variants. If the above removal solutions do not work. Deleting registries and files related to MS Antivirus would prevent the infection from entering the computer. See also * Rogue software * Adware * Malware * SpySheriff References http://www.bleepingcomputer.com/virus-removal/remove-ms-antivirus Category:Rogue software Category:Adware Category:Scareware Category:PUP Category:Trojan dropper Category:Win32 Category:Win32 trojan Category:Microsoft Windows